Real-time API threat detection and mitigation for FinTech systems
FinTech platforms face critical security challenges:
- Rate Abuse: Attackers flood APIs with excessive requests
- Credential Stuffing: Repeated authentication failures signal brute-force attempts
- Suspicious Patterns: Unusual endpoint access sequences indicate malicious behavior
- Limited Visibility: Traditional monitoring misses security threats at the API level
Sentinel Protocol addresses these gaps with intelligent, real-time threat detection.
-
Multi-Layer Threat Detection Engine
- Rate limit abuse (>100 req/min threshold)
- Failed authentication tracking (>5 failures in 10min)
- Transaction anomaly detection (no balance check before payment)
- Honeypot endpoint for attacker identification
-
Intelligent Pattern Recognition
- Correlated incident analysis
- Geographic anomaly detection
- Behavioral fingerprinting
- Live Dashboard with ECharts visualizations
- Request Timeline showing traffic patterns
- Alert System with severity levels (CRITICAL/HIGH/MEDIUM/LOW)
- IP Management with whitelist/blacklist controls
- Rate Limiting via Redis (100 req/min per IP)
- Automatic IP Blocking with configurable duration
- Multi-IP Simulation using
X-Simulated-IPheaders - Export & Reporting (CSV/JSON formats)
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โ Mock FinTech โโโโโโถโ Logging Layer โโโโโโถโ SQLite DB โ
โ APIs โ โ (Middleware) โ โ (Indexed) โ
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโ
โ Detection Engine โ
โ (Background Thread) โ
โโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโ
โผ โผ โผ
โโโโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโโ
โ Alerts โ โ Blocking โ โ Redis โ
โ Database โ โ System โ โ Cache โ
โโโโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโ
โ Dashboard โ
โ (React UI) โ
โโโโโโโโโโโโโโโโโ
- Python 3.9+
- Redis (optional, falls back to in-memory storage)
- Clone the repository
git clone https://github.com/x4r5h/API-Abuse-Detection.git
cd API-Abuse-Detection- Install dependencies
pip install flask flask-cors redis- Start Redis (optional but recommended)
redis-server- Run the application
python app.py- Access the dashboard
http://localhost:5000
Open APIabuser.html in your browser and click "Start Normal Traffic"
- Realistic user behavior with varied timing
- Proper authentication flow
- Expected endpoint sequences
- Rate Limit Attack: Single IP exceeding 100 req/min
- Distributed DDoS: Multiple IPs flooding simultaneously
- Brute Force: Multiple failed authentication attempts
- Honeypot Trigger: Accessing admin endpoints
- Combined Attack: Real-world botnet simulation
- Dashboard updates in real-time
- Alerts appear with severity indicators
- IPs get automatically blocked
- Logs captured with full details
sentinel-protocol/
โโโ app.py # Flask backend with detection engine
โโโ templates/
โ โโโ index.html # Main dashboard
โ โโโ logs.html # Log analysis page
โ โโโ alerts.html # Security alerts page
โ โโโ ip-management.html # IP control panel
โโโ static/
โ โโโ js/
โ โโโ main.js # Dashboard logic
โ โโโ logs.js # Log filtering & export
โ โโโ alerts.js # Alert management
โ โโโ ip-management.js # IP whitelist/blacklist
โโโ APIabuser.html # Multi-IP attack simulator
โโโ main.db # SQLite database (auto-created)
โโโ README.md
| Threat Type | Condition | Action |
|---|---|---|
| Rate Abuse | >100 requests/min from single IP | Block 5 min |
| Failed Auth | >5 failed auth in 10 min | Block 30 min |
| Transaction Anomaly | Payment without balance check | Alert MEDIUM |
| Honeypot Access | Any request to /api/admin/* |
Block 1 hour + CRITICAL alert |
- Total requests (1-hour window)
- Failed request rate
- Active security alerts
- Currently blocked IPs
- Traffic Timeline: Request volume over time (ECharts line chart)
- Top Endpoints: Most-accessed APIs (pie chart)
- Alert Feed: Live security incidents with severity badges
- IP Geolocation: World map showing threat origins
- IP Whitelist/Blacklist: Manual access control
- Alert Resolution: One-click incident closure
- Log Export: CSV download for forensics
- Auto-Refresh: 10-second interval updates
| Category | Technologies |
|---|---|
| Backend | Python, Flask, SQLite |
| Caching | Redis (with in-memory fallback) |
| Frontend | HTML5, Tailwind CSS, Vanilla JS |
| Charts | ECharts 5.4.3 |
| Animations | Anime.js 3.2.1 |
GET /api/balance # Check account balance
POST /api/transaction # Process payment
GET /api/history # Transaction historyGET /api/monitoring/stats # Platform statistics
GET /api/monitoring/timeline # Traffic over time
GET /api/monitoring/alerts # Security alerts
GET /api/monitoring/blocked # Blocked IPs
POST /api/monitoring/block-ip # Manual IP block
POST /api/monitoring/alert/:id/resolve # Resolve alert
GET /api/monitoring/compliance-report" #compliance-report- Baseline: Run normal traffic for 2 minutes
- Attack 1: Launch rate limit attack โ Verify auto-blocking
- Attack 2: Trigger brute force โ Check failed auth alerts
- Attack 3: Access honeypot endpoint โ Confirm CRITICAL alert
- Attack 4: Combined attack โ Validate correlation detection
- Cleanup: Resolve alerts and unblock IPs via dashboard
- Machine learning-based anomaly scoring
- Webhook integration for Slack/Teams alerts
- GraphQL API support
- Kubernetes-native deployment
- OAuth2 flow monitoring
- API key rotation recommendations
Built with โค๏ธ by Team AAH for Finnovate Hackathon (Track 6)